sshd looks in the user's home dir for the authorized keys when the user tries to connect. This creates a problem if the server exports the home dir with write access to the client. If someone breaks in the client machine, not as root but only on a user account, it can create another key and put it in the server through the nfs mount. Then the breaker can access the server... It'd be good to have a config option for the server to specify a different directory than the home to look for authorized keys so that we can put the keys in a non-exported place.
